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Crooks Switch from Ransomware to Cryptocurrency Mining 

by Tom Sprin g December 21, 2017,5:30 pm 

Criminals behind the VenusLocker ransomware have switched to cryptocurrency mining in their latest campaign targeting computer users in South Korea. Instead of 
attempting to infect targeted computers with ransomware, the group is now trying to install malware on PCs that mines for Monero, an open-source cryptocurrency. 

The shift was spotted by FortiGuard Labs, which said the group behind the attacks is attempting to capitalize on a surging cryptocurrency market. 
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“With more and more people realizing that cryptocurrency is potentially a significantly profitable investment, this rise is likely to continue for the foreseeable future. And 
where there is profit, that is where malware attacks will gather,” wrote FortiGuard in a report Wednesda y. 

Researchers said the shift by threat actors is also spurred by anti-ransomware mitigation efforts that have made infecting systems with malware harder. 

“This past October Microsoft added a Controlled folder access feature to Windows Defender Security for Windows 10 users to prevent malicious (or unexpected) 
alteration of important files. Features such as this can effectively thwart ransomware attacks. Which is probably part of the reason why the threat actors behind 
VenusLocker decided to switch targets,” researchers said. 

Why Monero crypto currency, and not the surging Bitcoin? According to FortiGuard, Monero’s mining algorithm is designed for ordinary computers. Bitcoin, on the other 
hand, requires higher-end systems equipped with Application-Specific Integrated Circuits or high-end GPUs, according to researchers. 

“The second reason is Monero’s promise of transaction anonymity. With Bitcoin, a wallet is a public record,” researchers wrote. Monero’s wallet uses “stealth addresses” 
along with “transaction mixing” allowing criminals to cloak account activity. 

Those behind VenusLocker, and now Monero mining malware, are targeting South Korean users via phishing campaigns. Emails contain malicious attachments 
compressed in EGG archive format, developed by ESTsoft, a South Korean tech firm. 

Ploys range from fake messages from a website insisting recipients open an accompanying attachment that contains important personal breach information pertaining to a 
recent website hack. Another message insists a recipient open the malicious attachment in order to view copyright protected images illegally used on the target’s website. 

“Once the malware is executed, an embedded binary of the Monero CPU miner XMRig v2.4.2 is executed. As a basic attempt to hide this resource hogging operation, the 
miner is executed as a remote thread under the legitimate Windows component wuapp.exe, which is executed beforehand to avoid raising suspicions,” researchers 
describe. 

Researchers also noted many similarities between the hidden file attribute and shortcut files used to trick users in the VenusLocker malware and the mining malware. 

“An interesting observation is that this same scheme has been used by VenusLocker in the past. To confirm this assumption, we had to take a closer look at the shortcut 
files’ metadata, and sure enough, we found a direct relation to the ransomware. Aside from the target paths, the shortcut files used during the VenusLocker ransomware 
period are practically identical to the ones being used in this campaign,” researchers said. 

FortiGuard researchers say the switch to crytocurrency mining by ransomware crooks is a growing trend that could extend into 2018. “With cryptocurrency values being 
more enticing than ever, it is a real possibility,” they said. 
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Comments (2) 

1. Marco Garcia Januar y 5. 2018 @ 7:26 am 

1 

There is a long list of idiots who are more than willing to download software to their laptops and cellphones to “mine” while they are sleeping, completely oblivious 
to the threats they are exposing themselves to, with the false belief they will be obtaining free money or altcoin(s). 

Reply l 

2. Gwen Collier Januar y 9. 2018 @ 12:33 pm 
2 

What can I download to do away with this vulnerability. I am not seeing that information so we can read and read and be warned but WHAT can we do about it? 
Reply l 
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The attack could have been averted through a technique called subresource integrity, according to researcher Scott Helme. 
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